Constangy Cyber Advisor 

Consumer Privacy Protection Act

The goal of the Consumer Privacy Protection Act is to provide more transparency and control to Canadian citizens surrounding the use of their personal data. If passed, the CPPA would not only replace the Personal Information and Electronic Documents Act — Canada’s current metric governing consumer privacy — but also impose more severe penalties for violations. The CPPA aims to remove some of the onus from the consumer and focus more on the accountability of the organization collecting and using the data.

After the second reading of the Bill C-27, three amendments to the CPPA were proposed:

• The fundamental right to privacy. This proposed amendment would, in the purpose statement of the Bill, provide a stronger foundational commitment to Canadian privacy by stating that the right to privacy is a fundamental right.
• Children’s privacy. Although the CPPA already deems all personal information obtained from a minor to be “sensitive,” the proposed amendment reinforces protection and creates a stronger priority on children's privacy. It would amend Section 12 of the Bill to encourage organizations to consider the special interests of minors when determining whether personal information is being collected, used, or disclosed for an appropriate purpose.
• Penalties for noncompliance. The proposed amendment would allow the Office of Privacy Commissioner greater responsibility to act on its own accord with regard to private sector violations. The Office would be permitted to levy financial penalties via a compliance agreement between the Office and a non-compliant organization, eliminating the need to go to the Tribunal or Court.

Artificial Intelligence and Data Act

The Artificial Intelligence and Data Act would create Canada’s first AI-specific regulatory framework to hold organizations responsible for AI activities under their control. The AIDA is designed to improve accountability and promote the responsible design, development, and deployment of AI systems. After the second reading of Bill C-27, these five amendments were proposed:

• High-Impact Systems. As it currently stands, the AIDA requires organizations to identify, assess, and mitigate the risk of harm and bias in “high-impact systems.” The Government provided a list of seven initial classes that would clarify the meaning of high-impact systems. Additionally, the Government proposed an amendment that would allow for these classes to be modified as technology continues to evolve.
• Alignment with the European Union AI Act. The Government proposed amendments to more closely align the Bill with international discussions. The amendments are targeted at broadening the scope of AI systems by providing key definitions that will better account for future technological changes.
• AI value chain. Amendments were proposed to clarify the obligations of persons responsible for developing, managing, and making high-impact systems available. The amendments provide a clear set of responsibilities for a more cohesive process.
• Specifying obligations for generative general-purpose AI systems. The Government proposed amendments that would create specific requirements for generative general-purpose AI systems, such as ChatGPT. Although these systems can be used in a wide variety of contexts for different tasks, they would not be regulated as high-impact systems. Similar to the AI value chain, there would be a set of clear responsibilities for developing, managing, and making general-purpose systems available.
• Role of the AI & Data Commissioner. The Government supports amendments that would provide greater clarity to the purpose and function of the AI & Data Commissioner. The amendments would cover things such as the ability to carry out a mandate independently and the ability to provide cohesive coordination across the AI regulatory system.

Background

On June 16, 2022, Bill C-27 was introduced by Francois-Philippe Champagne, Canada's Minister of Innovation, Science and Industry, and David Lametti, Canada’s Minister of Justice and Attorney General. Bill C-27 was tabled by Parliament until April 24, 2023, when the Bill had its second committee reading. On September 26, 2023, Mr. Champagne appeared before Parliament’s Standing Committee on Industry and Technology to address feedback and concerns expressed after the Bill's second reading, and proposed the amendments described above.

Bill C-27 is still under consideration by the Standing Committee. It is imperative for businesses operating in Canada to become familiar with the Bill’s requirements. The Bill will apply to private-sector organizations at the federal level and, as already noted, would have a broader scope than the laws currently in place.

The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary and recommended updates to their privacy, information technology and security, and compliance programs to address these complex and evolving developments. If you would like additional information on how Bill C-27 may affect your organization, please contact us at cyber@constangy.com.